policy/modules/services/certbot.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

policy_module(certbot)

## <desc>
##	<p>
##	Determine whether additional rules
##	should be enabled to support acme.sh
##	</p>
## </desc>
gen_tunable(certbot_acmesh, false)

########################################
#
# Declarations
#

type certbot_t;
type certbot_exec_t;
init_daemon_domain(certbot_t, certbot_exec_t)

type certbot_log_t;
logging_log_file(certbot_log_t)

type certbot_runtime_t;
files_runtime_file(certbot_runtime_t)

type certbot_tmp_t;
files_tmp_file(certbot_tmp_t)

type certbot_tmpfs_t;
files_tmpfs_file(certbot_tmpfs_t)

type certbot_lib_t;
files_type(certbot_lib_t)

########################################
#
# Local policy
#

allow certbot_t self:fifo_file rw_inherited_fifo_file_perms;
allow certbot_t self:capability { chown dac_override sys_resource };
allow certbot_t self:udp_socket all_udp_socket_perms;
allow certbot_t self:tcp_socket all_tcp_socket_perms;
allow certbot_t self:netlink_route_socket create_netlink_socket_perms;

files_var_lib_filetrans(certbot_t, certbot_lib_t, dir)
manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)

manage_dirs_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })

manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })

allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;

logging_log_filetrans(certbot_t, certbot_log_t, dir)
allow certbot_t certbot_log_t:dir manage_dir_perms;
allow certbot_t certbot_log_t:file manage_file_perms;

manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
files_runtime_filetrans(certbot_t, certbot_runtime_t, file)

kernel_dontaudit_read_system_state(certbot_t)
kernel_search_fs_sysctls(certbot_t)

corecmd_list_bin(certbot_t)
corecmd_mmap_bin_files(certbot_t)

corenet_tcp_bind_generic_node(certbot_t)
corenet_tcp_connect_http_port(certbot_t)
corenet_tcp_connect_dns_port(certbot_t)
# bind to http port for standalone mode
corenet_tcp_bind_http_port(certbot_t)

dev_read_urand(certbot_t)

domain_use_interactive_fds(certbot_t)

files_read_etc_files(certbot_t)
files_read_usr_files(certbot_t)

# dontaudit for attempts to write python cache files
libs_dontaudit_write_lib_dirs(certbot_t)
libs_exec_ldconfig(certbot_t)
# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
libs_exec_lib_files(certbot_t)

miscfiles_read_localization(certbot_t)

miscfiles_read_generic_certs(certbot_t)
miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
miscfiles_manage_generic_tls_privkey_files(certbot_t)
miscfiles_manage_generic_tls_privkey_symlinks(certbot_t)

sysnet_read_config(certbot_t)

userdom_dontaudit_search_user_home_dirs(certbot_t)
userdom_use_user_ptys(certbot_t)

tunable_policy(`certbot_acmesh',`
	corecmd_exec_bin(certbot_t)
	corecmd_exec_shell(certbot_t)

	logging_send_syslog_msg(certbot_t)
')

optional_policy(`
	# for writing to webroot
	apache_manage_sys_content(certbot_t)

	apache_append_log(certbot_t)
	apache_exec(certbot_t)
	apache_exec_modules(certbot_t)

	# for certbot to create nginx config
	apache_manage_config(certbot_t)

	apache_rw_runtime_files(certbot_t)
	apache_signal(certbot_t)
')

optional_policy(`
	xdg_search_config_dirs(certbot_t)
')